Windows 7 / Networking

---

Managing Data Access Using Windows Server 2008 R2 Shares

Providing access to data stored on a Windows Server 2008 R2 server can be very simple to configure using Windows shares. Existing folders and entire drives can be shared with a few clicks, but understanding who can access that data is critical to security and, in some cases, licensing. Server shares are accessed using the UNC or Universal Naming Convention of \\server\sharename. Administrators can configure a few different settings when creating or updating shares. Share options or features include the following:

• Determining whether the share will be visible or hidden, based on the share name
• Setting the description of the share
• Configuring the type of share; if Server for NFS is installed, there will be two options
• Configuring the number of simultaneous connections allowed through the share
• Configuring the cache or offline sync settings of the share
• Enabling or disabling BranchCache
• Configuring access-based enumeration to control folder and file visibility based on NTFS permissions
• Configuring NTFS permissions on the folder or volume hosting the file share
• Configuring share permissions to manage whether users can read, change, or have full control over a share

Because sharing can be performed for CD drives, DVD drives, and FAT and NTFS volumes, the configurable share permissions are limited to Full Control, Change, and Read. Full Control permissions allow users to manage all data and to reset permissions. Change allows users to manage all data and Read only allows users to read the data. Because share permissions are not very granular, folder shares should be created only on NTFS volumes, when possible, to increase the security of data.

When shares are created on NTFS volumes, both the Share and NTFS folder and file permissions are applied to the user. Windows Server 2008 R2 will combine the permissions, and the most restrictive permissions will apply. For example, if a folder located at c:\users is shared and testuser1 is granted Read permission at the share and Change or Modify permissions on the NTFS folder, testuser1 will only have Read permission when accessing the data across the network through the share. If testuser1 logs on to the system console and accesses the c:\users folder directly, testuser1 will have Change or Modify permissions.

Access-Based Enumeration

A new sharing feature included with Windows Server 2008 and Windows Server 2008 R2 is called access-based enumeration. Access-based enumeration, when enabled on a share, hides the folders or files within the share from view for users who do not have access to the data. Access-based enumeration, however, does not hide the share itself. This feature can simplify data access for end users as they will only see what they can access, but, on the flip side, users who are collaborating and trying to instruct their co-workers on where to locate the data might be confused when the folders cannot be located.

Client-Side Caching and Offline Files

To provide flexibility for mobile users and to provide centralized storage for end-user data, Windows Server 2008 R2 shares can be configured to allow, enforce, or disable client-side caching of shared server data. Client-side caching (CSC) is a feature that enables data shared on a server to be synchronized between the server and end-user workstations. This enables end users to access data when the server is unavailable or when the workstation is not connected to the company network. This feature also can be used to ensure that any data stored in a synchronized end-user workstation folder is copied to the server for centralized storage and backup and recoverability.

For CSC to function properly, both the workstation and the server must be configured to support it. CSC from the workstation and server side is more commonly referred to as Offline Files. Depending on the workstation operating system version, different synchronization options are available. A common usage of offline files is to couple offline files with a Group Policy setting called Folder Redirection.

Folder Redirection can be used to redirect the end user's My Documents or Documents folder to a server share. When an end user's My Documents or Documents folder is redirected to a server share with offline files enabled, enforced or not, the folder is automatically configured to synchronize with the server. This functionality ensures that any file an end user saves to their default documents folder will be copied up to the server during synchronization. The default offline file synchronization settings for Windows 7 and Windows Server 2008 R2 will synchronize with the server at logon, logoff, and when a file is opened or saved. Additionally, synchronization can be configured to run when a computer has been idle or when a user locks or unlocks a workstation.

Offline files can be configured on a per-share basis using the shared folder's share property page. By default, all shares allow end users to configure offline file synchronization as they desire. Certain folders-for example, the My Documents or Documents folders-when redirected to a Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 system, will automatically enable and configure the folder to be synchronized. To synchronize additional shares, perform the following steps on the server and the workstation:

1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles, and then double-click on File Services.
4. Select Share and Storage Management.
5. In the tasks pane, right-click the share that needs to be available offline, and select Properties.
6. On the Sharing tab, click the Advanced button.
7. Select the Caching tab, and verify that one of the following option buttons is selected:
   • Only the Files and Programs That Users Specify Are Available Offline
   • All Files and Programs That Users Open from the Share Are Automatically Available Offline
8. Close the Share Properties dialog box and the Share and Storage Management console.
9. Log on to the Windows 7 workstation with an account with administrator privileges.
10. Click the Windows flag, or Start button, and select Control Panel.
11. Near the upper-right corner of the Control Panel window, pull down the View By menu and choose to view the window by Small Icons instead of Categories.
12. Scroll down in the window as necessary to locate Sync Center and click on the link.
13. When the Sync Center window opens, click on the Manage Offline Files link in the left pane of the window.
14. When the Offline Files window opens, verify that the top button on the General tab is labeled Disable Offline Files, which means that offline file functionality is enabled. If the button is labeled Enable Offline Files, click the button and click OK to save the settings and reboot the workstation.